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Modular exponentiation is a common mathematical operation in modern cryptography. This, along 
with modular multiplication at the base and exponent levels (to different moduli) plays an important 
role in a large number of key agreement protocols. In our earlier work 0161 we gave many decidabil- 
ity as well as undecidability results for multiple equational theories, involving various properties of 
modular exponentiation. Here, we consider a partial subtheory focussing only on exponentiation and 
multiplication operators. Two main results are proved. The first result is positive, namely, that the 
unification problem for the above theory (in which no additional property is assumed of the multipli- 
cation operators) is decidable. The second result is negative: if we assume that the two multiplication 
operators belong to two different abelian groups, then the unification problem becomes undecidable. 
This result is established using a construction patterned after those employed in IS] |9l by reducing 
Hilbert's 10''' problem to the unification problem. 

1 Introduction 

With network use and online transactions becoming all pervasive in many applications, especially online 
shopping, social networking, video-conferencing, group conferencing, and e-voting etc, multi-party and 
group protocols need to be employed. These protocols are often complex, rich and sophisticated, built 
as a collection of protocols, whose interaction is often quite complex. Their reliability and security 
thus become a critical issue, especially in case the protocols use arithmetic operators, such as modular 
multiplication and exponentiation and boolean operators such as exclusive-or fTT"|. In collaboration 
with the Maude-NPA team [3|, we have developed an approach for analyzing whether a given protocol 
is vulnerable to specific attacks by modeling the protocol as a state machine and an execution of the 
protocol as a sequence of state transitions. The search space is explored using unification and narrowing 
techniques to handle equational properties of the operators used in a protocol. 

Modular exponentiation is a common mathematical operation in modem cryptography. This, along 
with modular multiplication at the base and exponent levels (to different moduli) plays an important role 
in the El Gamal signature scheme, the Nyberg-Rueppel key agreement protocol (Protocol 5.3 in El), and 
the MTI and Yacobi-Shmuely protocols for public key distribution (Protocols 5.7 and 5.33 in fT\). In our 
earlier work ||5] IH we gave many decidability as well as undecidability results for multiple equational 
theories, involving various properties of modular exponentiation. Here, consider a partial subtheory 
focussing only on exponentiation and multiplication operators. 

The axioms of the theory are 



exp{g{X),Y) = g{X®Y) 
exp{X*Y,Z) = exp{X,Z) * exp{Y,Z) 
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Here exp is the exponentiation operator and g is exponentiation over a fixed base, sucii as 2". The 
multiplication operators * and ® are often modulo a prime p and p — I, respectively. The reason for 
modeling two different exponentiation operators is that in a large majority of protocols, many operations 
are done using a fixed base. In addition, when specifying such protocols in Maude, as in Maude-NPA, 
the use of the subsort mechanism can make unification more efficient if the first argument in exp is fixed. 

Two main results are proved. The first result is positive, namely, that the unification problem for the 
above theory (in which no additional property is assumed of the multiplication operators) is decidable. 
The second result is negative: if we assume that the multiplication operators * and ® belong to two 
different abelian groups, then the unification problem becomes undecidable. This result is established 
using a construction patterned after those employed in [5, ^] by reducing Hilbert's 10''' problem to the 
theory. 

The decidability result uses a novel construction and is discussed in the next three sections. The 
next section models the equational properties of the above two axioms as an inference system. Section 3 
analyzes possible reasons when the unification fails, corresponding to the function clashes, occur-check, 
and an infinite application of one of the inference rules. Section 4 gives the unification algorithm along 
with a termination proof. The final section sketches the undecidability proof for the equational theory in 
which, along with the above two axioms, the multiplication operators come from abelian groups. 

2 Inference Rules 

Below we present a set of inference rules for unification. Termination of these rules is proved later. 



(a) 



{u=-v} w 



if U occurs in (f ^ 



{U=^ V}U [V/U]{^^) 



(b) 



S"^ tt) {U='^V*W, U=-X*Y} 



tt) {[/=■ V=-X, W=- 7} 



(c) 



tt) V = X®Y} 



^ tt) {[/ =■ V ® w, V =■ X, w =■ y} 



(d) 



tt) {U =■ expiyy^), U =■ exp{X,Yy\ 
SB tt) {V =■ expiy.W), V = X, IV =-7} 



(e) 



SB IS {U=^g{V),U=^g{W)} 

SB u {[/ =■ giy), V = w} 



(0 



SB tt) {U =■ exp{V,W), U =■ g{X)} 



SB U {U=- g{X), V =■ g(y'),x=-v'®w} 



(g) 



SB tt) {U =■ exp{V,W), U=-X*Y} 



SB U {U=-X*Y, V =■ Vy*V2, X =■ exp{V^,W), Y =■ exp{V2,W)} 
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The variable V' in rule (f) is a fresh variable. Similarly V\ , V2 in rule (g) are fresh variables. The 
symbol tt) stands for disjoint union. Furthermore, rules (f) and (g) are applied only when the other rules 
cannot be applied. The variable U in rule (f) (resp. rule (g)) is called an (f)-peak {(g)-peak. 

A set of equations is said to be reduced if none of the inference rules (a) thru (e) are applicable. 



eagerly applying rules (a) thru (e). Clearly, rule (f) decreases the number of exp symbols. But (g) intro- 
duces new exp symbols. Thus termination of the algorithm is not obvious. For simplicity, we assume 
that the equations deleted while applying the inference are actually put into "cold storage" by a marking 
strategy. 

Before proceeding we will need to define several relations over the variables in terms of equations 
both marked and unmarked. These will be needed later in this paper: 

• U >-ijV iff there is an equation U = ^ exp{V,W). 

• U >-gW iff there is an equation U =■ exp{V,W). 

• U y,^V iff there is an equation U =''V*W. Likewise, U y,^ V iff U ='^V®W. 

• U y,-^ W iff there is an equation U V*W. Likewise, U W iffU V® W. 



• U >~ V iff there is an equation U =^ t such that f is a non-variable term that contains V. 

Clearly all other relations are sub-relations of >-. For a relation p, let p^ denote its tr ansitive closure. 
Let ~ be the reflexive, symmetric, transitive closure of >~i^. 

We can also view these relations in terms of graphs, where the nodes are the variables and the edges 
correspond to the various relations between thertj^ These graphs will be useful in checking for failure 
conditions during unification. Figure[T]and Figure|2]ai-e example graphs and the resulting transformation 
after applying an inference rule. 

3 Failure Conditions 

Detection of failure involves several cases. Some cases are caused by function clashes and can be de- 
tected using the following rules: 



This method is developed by Tiden and Amborg in 1101 . 




U 



U 



V iff U V orU V. 
>-g V iff there is an equation U =■ g{V). 
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Figure 1 : Rule (f) 



(F2) 



(F3) 



(F4) 





FAIL 




S"^ W {U 




= -X®Y} 




FAIL 




1+) {U 


='giv),u-- 






FAIL 




{U -- 


=-v®w, u 


= -X*Y} 


FAIL 



Two other failure cases must be addressed. The first is similar to the "occur check" condition in 
standard unification. The second is a special case when infinite applications of a rule can happen. Here 
we use congruence classes over the ground terms, i.e. if ti and ?2 are ground terms and ti = t2 then they 
are in the same class. 



Lemma 3.1. Every congruence class over the ground terms is finite. Hence, a term cannot be equivalent 
to a proper-subterm of it. 
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Figure 2: Rule (g): relevant parts 



Proof. The fact that the congruence classes are finite is due to the initial system of equations. If a term 
was equivalent to a proper- sub term this would create infinite congruence classes by allowing continual 
replacement of the subterm. □ 

Lemma 3.2. If there is a variable X such that X X then there is no solution. 

Proof. Follows from Lemma |3.1[ this indicates the attempt to unify terms in which one is a proper- 
subterm of the other, resulting in an occur check failure. □ 

Next we need to identify cycles between the equivelant classes. 

Lemma 3.3. If there are two variables X and Y such that X Y and 7 (~ U >-„^^ X, then there is no 
solution. 

Proof. We consider the reduction that follows when the exp and ® functions are interpreted as a projec- 
tions onto the first argument. The reduction will enable a simpler proof of the result. 

Definition 3.4. Let exp and ® be interpreted as a projection onto the first argument. We define the term 
ij for any term ti such that if ti = exp {tn , ?,2) then U = fa ■ Also, if ti = tn® tij then f,- = f,i ■ 



Consider the Lemma under the interpretation of Definition 3.4 Then any variables related along a ~ 
edge will become equivalent. Now consider paths along edges from equivalent classes formed from 
~. By definition there is at least one >-,„ edge from X to Y. We then proceed by induction on the length 
of the >-,„ path. If no additional edges exist we have failure due to X >-„, Y and Y X {X = Y). 
Now we can see that adding ~ edges will not effect the unification of the system, we then can assume 
that we have a cycle of ^ (0 < k) >~m edges that do not form a unifiable system. That is, a cycle of the 
form El >-ni E2 >~m ■ ■ • >~m E^+i, where each Ei is an equivalence class, F G £1, X G Eu+\ and X >-,n Y. 
Then because adding another >-,„ edge would only move X into a lower class we can see the cycle is not 
unifiable. □ 
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Lemma 3.5. If{U=^X*Y,V=^ si^)} C S'J2 and U then there is no solution. 

Proof. Because of the bi-directional nature of ~ we prove both directions. 

First: \e.tu = x*y,v = g{z) and u v. \fu)^},v we must unify the equations x * 3^ and exp {v,w) but 
this immediately leads to a function clash due to the need to unify v = g{z) and v = vi * V2. We can see 
that for any path along we can continue to move the * along the path until eventually we will need to 
unify V = g{z) and v = vi * V2. 

Second: Let u = x*y, v = g{z), and v u. Just as in the first direction then we can move the g 
function along the path eventually we will be required to unify u = x*y and u = g{v'), a function 
clash. □ 



4 Unification Algorithm 

First we need a method for detecting "occur check" failure conditions. To accomplish this, we use 
the methods developed in Tiden and Arnborg [ilOJ . building two special graphs to check for failure 
conditions. 

Definition 4.1. Let D be a graph defined on a reduced system of equations. The nodes in the graph 
correspond to variables in the system. The edges correspond to the parameters of each equation type. 
See Figure [T] 

Lemma 4.2. If there exists a cycle in D, the set of equations represented by D is not unifiable. 



Proof. Directly from Lemma 3.2 □ 



We will also need to detect cases requiring an infinite unifier. An example of this is the set of equations 
comprising U =■ exp{X,W), and U =■ X*Y. This example (g)-peak would cause a new (g)-peak 
creation after each application of Rule (g) (See Figure [3]l. We will use a propagation graph P to check 
for these conditions. 

Definition 4.3. Let P be a directed simple graph defined on a set of equations as follows: Each vertex in 
P is a '^-equivalence class. There is an edge between the vertex containing v to the vertex containing w 
in P, if there is a ;^,„ labeled edge from v to w in D. 

Lemma 4.4. If there exists a cycle in P, the set of equations represented by P is not unifiable. 

Proof. Follows from Lemma [33] □ 

We now give a general unification algorithm for unification modulo the partial theory of exponentia- 
tion. 



Algorithm 1 Unification modulo partial exponentiation 
Require: EQ, the set of equations 

while An inference rule can be applied do 

Build graphs D and P; if a cycle is found exit with failure. 
If any of rules (Fl) through (F4) apply exit with failure. 
Eagerly apply rule (a). 
Eagerly apply rules (b) through (e). 
Apply rules (f) and (g) if possible, 
end while 
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Figures: U = exp{X,W),U = X *Y 



Lemma 4.5. Rule (f) commutes with rule (g). (See Figure^ 

Proof. No variable can be an (f)-peak and a (g)-peak at the same time because this would cause failure. 
Thus, application of rule (g) first does not affect the applicability of rule (f). 

□ 



(/) 



y 



(/) 



Figure 4: Rule (f) commutes with Rule (g) 
Theorem 4.6. Algorithm^always terminates. 

Proof. If a failure condition or cycle in one of the graphs is found, Algorithm [T] will clearly halt. Assume 
none of these conditions occur. Then some observations can be made: Every ~-congruence class has to 
have a unique sink (wrt ;^^). Also, applying rule (g) does not increase the number of congruence classes 
— the new variables Vj and V2 are ~-equivalent to X and Y respectively. Now >- can be used to define a 
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well-founded partial order on the r^-congruence classes. Thus the new exp equations created in rule (g) 
are on congruence classes lower than the earlier one. Applications of rule (g) will thus always terminate 
under the above assumptions. Since rule (f) can potentially increase the number of congruence classes, 



we need Lemma 4.5 Since one cannot get an infinite sequence of (g)-steps or (f)-steps, the algorithm 



terminates. □ 

5 Undecidability of unification of partial exponentiation with two Abelian 
group operators 

Let us now consider the expanded theory where both * and ® are Abelian group operations. That is, we 
let * represent multiplication modulo a prime p and ® represent multiplication modulo p — \. We denote 
this equational theory as S\ and the resulting AC-convergent system as ^\ : 

x*x-^ 1 

hzy'Y' exp{Z-\x) ^ {exp{Z,X)r' 

exp{g{X),Y)^g{X®Y) 

1"' 1 

exp{{X*Y),Z)^exp{X,Z)*exp{Y,Z) 

X®1 -^X 
X®i{X) 1 
i{i{X))^X 
i{X®Y)^i{X)®i{Y) 

where <*,^\l> forms the first Abelian group and <®,/(),l> the second. The unification problem 
for this system is undecidable. The proof is by reduction from Hilbert's 10''' problem (solvability of 
polynomial equations over the integers). It will be shown that multiplication and addition of a number 
can be simulated in the above system. We make the assumption for the first part of the proof that we are 
allowed the distinct free constants b and c. The following proof is a modification of the proof given 

inaa. 

Definition 5.1. Let OK") denote 

• u®u®...®u,ifi>0. 

^ V ' 

i 

• OK") = 1 if J = and 

• /(m) ® /(m) ® . . . if / < 0. 

^ V ' 

i 

Lemma 5.2. g {s) g{t)^s t. 
Lemma 5.3. For every m,n^7L, the equation: 



is solvable. 



x*g{On{b)) exp{x,b)*g{0,n{b)) 



20 



UniGcation modulo a partial theory of exponentiation 



Proof. 

(a) If n>m, then x = g (On-i (^)) * • • • * § (Om(^)) is a solution. 

(b) If n < m, then ;c = (g(0«(^)) * • • • *g(Om-i(^)))"^ is a solution. 

(c) If n = m, then x = 1 is a solution. □ 

Lemma 5.4. Let b be a free constant and m be an integer. Then, every solution to 

x*g{y) =s,exp{x,b)*g{Om{b)) 

is of one of the following forms: 

(a) n>m,y = On{b), x = g (On-i (^)) *---*g {Om{b)) 

(b) n<m,y = On{b), x=ig {On{b)) * • • • *g (Om-i W))"' 

Proof. The proof is by contradiction. Suppose that there exist an integer m and terms and ty, in normal 
form modulo , such that 

tx*8{ty) =si exp{t^,b)*g{0,„{b)) 

where t^. / On{b) for any n. Without loss of generality assume also that is a minimal (by size) 
counterexample, i.e., a minimal term such that 3m3ty : t^*g{ty) exp{t^,b) *g{Q)m{b)). 
First of all note that since M\ is AC -convergent, it must be that 

t^*exp{t-\b)*g{ty) g{Om{b)). 

Then tx can have two possible forms: 
Case 1: tx = g{Om{b)) * 4 Then, 

8{Om{b))*t^*g{ty) exp{g{0,n{b)),b)*exp{t'^,b)*g{Omib)) and thus 

t'x*8{h) =Si 8{Om+iib))*exp{t'^,b) 

Thus t'^ is a smaller counterexample. 

Qasel^tx = g{Om-i{b)y^ *t'^- Then, 

8iOm-iib)yUt'^*g{ty) exp{giO,n-i{b)),by^*exp{t'^,b)*g{Omib)) and thus 

f'x*8{h) =Si 8{Om-iib))*exp{t'^,b) 

Thus 4 is a smaller counterexample. □ 
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Lemma 5.5. Let b and c be free constants. Then, the equations 



exp{x,c)*g{Oj{b)) exp{x,b)*g(u) 
z*g{u) =g exp[z,c)-^g(\) 



force u to be equal to Qjic)- 



Proof. By Lemma 5.4 the second equation, z*g(M) =^ exp {z,c)*g{\), forces u = Qnic)- Now replac- 



ing b with c everywhere in the first equation we get 

exp{x,c) *g{Oj{c)) = exp{x,c) *g{On{c))- 



By Lemma 5.2 C)j{c) = On{c) and j = n. 



□ 



Lemma 5.6. Let b and c be free constants. Then the equations: 



exp{x,Ok{c))*g{Oj{b)) exp{x,b)*g{u) 
z*g{u) =g exp{z,c)*g{\) 



force u to be equal to Oj/t ('^ 



Proof. By Lemma 5.4 m = Q>n{c) as before. Now replacing b by Q)k{c) we get 
exp{x,Ok{c))*g{Ojk{c)) = exp{x,Ok{c))*g{On{c)). 



By Lemma 5.2 C)jk{c) = C)n{c) and n = jk. 



□ 



With Lemma [53| we can now simulate multiplication with the natural numbers. To see how this can 
be done consider z = x*y and let x = Q)i{b) and y = Q)j{b). We force z = Q)ij{b) as follows: 



exp{wi,c)*g{Oi{b)) 



exp{w\,b)*g{x2) and 



W2*g{x2) =s^ exp[w2,c)^g[\) 



force X2 = 0K<^) by Lemma 5.5 



exp{wT„X2)-^g{Qj(h)) =g^ exp{w3,b)*g{z2) 
W4*giz2) =g. exp{wA,c)*g{\) 



and 



force Z2 = 0(7 ('^) Lemma 5.6 Finally we copy Z2 to z with the equation 



exp{w5,c)*g{z) exp{w5,b)*g{z2)- 
Lemma 5.7. Addition of natural numbers can be simulated in £"1. 

Proof. Let x = Q)i{b) and y = Qij{b), where bis a. free constant. Then x®j Oi+j{b) 
Theorem 5.8. Unification over £\ with free constants is undecidable. 



□ 



Proof. Following the above outline a unification problem can be constructed that simulates a system of 
diophantine equations. □ 
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6 Extension and Limitations 

In this paper we examined a partial theory of exponentiation, a critical component in several crypto- 
graphic protocols. Many of the protocols based on modular exponentiation also contain additional al- 
gebraic properties and axioms that could correspond to extensions of this partial exponentiation theory. 
Therefore, an important question that naturally arises is, how far we can extend the theory and maintain 
decidability. Unfortunately, additional extensions can quickly result in undecidable unification problems. 
This was demonstrated when the operations of ® and * were allowed to form abelian groups. Therefore, 
ideally, extensions should maintain decidability while adding additional axioms useful in modeling ad- 
ditional cryptographic protocols. We are currently examining two different possible extensions. The first 
is allowing just one of either the ® or * operations to be abelian. The second is extending the axiom 
set to include additional algebraic operators such as modular addition. Several other papers, includ- 
ing mm 121 13, have also considered the unification problem for equational systems that contain some 
type of exponentiation. For convenience, we give a condensed overview of a selection of these results in 
Tabled 



Ref 


Equational Theory 


Unification Problem: Results 


m 


Abelian group with the axioms exp{x,\) = 1 and 
exp{exp{x^y)z) =exp{x.,y*z) 


NP-complete 


m 


Two theories, denoted S\ and ^2- consists of an abelian group 
with operator, •, and a monoid with operator o with the addition 
of the axioms: x"" =x,V = 1, (x-yf = {x"-) ■ (/), and (x^)^ = x^°-. 
£"2 adds the axiom jco/(x) = 1, i{x) being the inverse, to the theory 


Undecidable for both S'l and £2 


m 


Two main results: Theory consists of an abelian group for 
operator • along with the axioms, x^ = x, V = \, and {x-yY = 
(x'') • {y^). Theory consists of S'-i with the addition of a monoid 
operator and the axiom {x^Y = x'°^. 


is decidable and (04 is unde- 
cidable. 


m 


Two theories, denoted S and Sq. S consists of an abelian group 
with operator, • , and the axioms x^ =x, V = 1 , {x-yY = {x^)-{y^), 
and {x^Y = x^' ''- ^0 is the same as S' but the axiom {x^Y = x-''^ is 
replaced with the axiom x^'~ = x~ 


£' is undecidable and Sq is decid- 
able. 



Table 1 : Results for E-unification with exponentiation. 



Most of these results are of high complexity. Therefore, we are also exploring heuristic methods of 
implementation to enable their integration into the automated protocol analysis system Maude -NPA Hll . 
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